Date
July 22, 2025, 5:13 a.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.377755] ================================================================== [ 32.377958] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.378023] Read of size 1 at addr fff00000c921c240 by task kunit_try_catch/262 [ 32.378079] [ 32.378267] CPU: 1 UID: 0 PID: 262 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250722 #1 PREEMPT [ 32.378372] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 32.378410] Hardware name: linux,dummy-virt (DT) [ 32.378440] Call trace: [ 32.378473] show_stack+0x20/0x38 (C) [ 32.378525] dump_stack_lvl+0x8c/0xd0 [ 32.378569] print_report+0x118/0x5e8 [ 32.378806] kasan_report+0xdc/0x128 [ 32.378935] __asan_report_load1_noabort+0x20/0x30 [ 32.379156] mempool_uaf_helper+0x314/0x340 [ 32.379225] mempool_slab_uaf+0xc0/0x118 [ 32.379306] kunit_try_run_case+0x170/0x3f0 [ 32.379359] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.379433] kthread+0x328/0x630 [ 32.379500] ret_from_fork+0x10/0x20 [ 32.379547] [ 32.379702] Allocated by task 262: [ 32.379745] kasan_save_stack+0x3c/0x68 [ 32.379790] kasan_save_track+0x20/0x40 [ 32.379983] kasan_save_alloc_info+0x40/0x58 [ 32.380029] __kasan_mempool_unpoison_object+0xbc/0x180 [ 32.380077] remove_element+0x16c/0x1f8 [ 32.380116] mempool_alloc_preallocated+0x58/0xc0 [ 32.380336] mempool_uaf_helper+0xa4/0x340 [ 32.380502] mempool_slab_uaf+0xc0/0x118 [ 32.380548] kunit_try_run_case+0x170/0x3f0 [ 32.380595] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.380653] kthread+0x328/0x630 [ 32.380691] ret_from_fork+0x10/0x20 [ 32.380728] [ 32.380747] Freed by task 262: [ 32.380775] kasan_save_stack+0x3c/0x68 [ 32.381012] kasan_save_track+0x20/0x40 [ 32.381121] kasan_save_free_info+0x4c/0x78 [ 32.381262] __kasan_mempool_poison_object+0xc0/0x150 [ 32.381351] mempool_free+0x3f4/0x5f0 [ 32.381396] mempool_uaf_helper+0x104/0x340 [ 32.381600] mempool_slab_uaf+0xc0/0x118 [ 32.381647] kunit_try_run_case+0x170/0x3f0 [ 32.381739] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.381823] kthread+0x328/0x630 [ 32.381912] ret_from_fork+0x10/0x20 [ 32.382019] [ 32.382094] The buggy address belongs to the object at fff00000c921c240 [ 32.382094] which belongs to the cache test_cache of size 123 [ 32.382350] The buggy address is located 0 bytes inside of [ 32.382350] freed 123-byte region [fff00000c921c240, fff00000c921c2bb) [ 32.382525] [ 32.382585] The buggy address belongs to the physical page: [ 32.382732] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10921c [ 32.382802] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.383035] page_type: f5(slab) [ 32.383204] raw: 0bfffe0000000000 fff00000c9247280 dead000000000122 0000000000000000 [ 32.383317] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 32.383453] page dumped because: kasan: bad access detected [ 32.383495] [ 32.383514] Memory state around the buggy address: [ 32.383683] fff00000c921c100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.383931] fff00000c921c180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.384060] >fff00000c921c200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 32.384101] ^ [ 32.384136] fff00000c921c280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.384178] fff00000c921c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.384215] ================================================================== [ 32.352021] ================================================================== [ 32.352096] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x314/0x340 [ 32.352168] Read of size 1 at addr fff00000c9a95700 by task kunit_try_catch/258 [ 32.352217] [ 32.352257] CPU: 1 UID: 0 PID: 258 Comm: kunit_try_catch Tainted: G B W N 6.16.0-rc7-next-20250722 #1 PREEMPT [ 32.352350] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST [ 32.352380] Hardware name: linux,dummy-virt (DT) [ 32.352412] Call trace: [ 32.352439] show_stack+0x20/0x38 (C) [ 32.352490] dump_stack_lvl+0x8c/0xd0 [ 32.352540] print_report+0x118/0x5e8 [ 32.352584] kasan_report+0xdc/0x128 [ 32.352626] __asan_report_load1_noabort+0x20/0x30 [ 32.352672] mempool_uaf_helper+0x314/0x340 [ 32.352720] mempool_kmalloc_uaf+0xc4/0x120 [ 32.352767] kunit_try_run_case+0x170/0x3f0 [ 32.352830] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.353075] kthread+0x328/0x630 [ 32.353128] ret_from_fork+0x10/0x20 [ 32.353178] [ 32.353199] Allocated by task 258: [ 32.353227] kasan_save_stack+0x3c/0x68 [ 32.353270] kasan_save_track+0x20/0x40 [ 32.353307] kasan_save_alloc_info+0x40/0x58 [ 32.353345] __kasan_mempool_unpoison_object+0x11c/0x180 [ 32.353387] remove_element+0x130/0x1f8 [ 32.353428] mempool_alloc_preallocated+0x58/0xc0 [ 32.353469] mempool_uaf_helper+0xa4/0x340 [ 32.353509] mempool_kmalloc_uaf+0xc4/0x120 [ 32.353549] kunit_try_run_case+0x170/0x3f0 [ 32.353587] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.353630] kthread+0x328/0x630 [ 32.353664] ret_from_fork+0x10/0x20 [ 32.353702] [ 32.353720] Freed by task 258: [ 32.353748] kasan_save_stack+0x3c/0x68 [ 32.353784] kasan_save_track+0x20/0x40 [ 32.353835] kasan_save_free_info+0x4c/0x78 [ 32.353873] __kasan_mempool_poison_object+0xc0/0x150 [ 32.353914] mempool_free+0x3f4/0x5f0 [ 32.353950] mempool_uaf_helper+0x104/0x340 [ 32.353992] mempool_kmalloc_uaf+0xc4/0x120 [ 32.354032] kunit_try_run_case+0x170/0x3f0 [ 32.354068] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.354112] kthread+0x328/0x630 [ 32.354144] ret_from_fork+0x10/0x20 [ 32.354185] [ 32.354205] The buggy address belongs to the object at fff00000c9a95700 [ 32.354205] which belongs to the cache kmalloc-128 of size 128 [ 32.354265] The buggy address is located 0 bytes inside of [ 32.354265] freed 128-byte region [fff00000c9a95700, fff00000c9a95780) [ 32.354323] [ 32.354345] The buggy address belongs to the physical page: [ 32.354385] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109a95 [ 32.354441] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.354493] page_type: f5(slab) [ 32.354534] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000 [ 32.354583] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 32.354623] page dumped because: kasan: bad access detected [ 32.354654] [ 32.354672] Memory state around the buggy address: [ 32.354705] fff00000c9a95600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.354748] fff00000c9a95680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.354790] >fff00000c9a95700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.354837] ^ [ 32.354863] fff00000c9a95780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.354904] fff00000c9a95800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 32.354942] ==================================================================
[ 26.670795] ================================================================== [ 26.671366] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.671843] Read of size 1 at addr ffff888106002240 by task kunit_try_catch/279 [ 26.672188] [ 26.672285] CPU: 1 UID: 0 PID: 279 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250722 #1 PREEMPT(voluntary) [ 26.672337] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.672351] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.672374] Call Trace: [ 26.672388] <TASK> [ 26.672404] dump_stack_lvl+0x73/0xb0 [ 26.672436] print_report+0xd1/0x640 [ 26.672460] ? __virt_addr_valid+0x1db/0x2d0 [ 26.672484] ? mempool_uaf_helper+0x392/0x400 [ 26.672508] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.672534] ? mempool_uaf_helper+0x392/0x400 [ 26.672557] kasan_report+0x141/0x180 [ 26.672580] ? mempool_uaf_helper+0x392/0x400 [ 26.672607] __asan_report_load1_noabort+0x18/0x20 [ 26.672633] mempool_uaf_helper+0x392/0x400 [ 26.672920] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.672949] ? finish_task_switch.isra.0+0x153/0x700 [ 26.672976] mempool_slab_uaf+0xea/0x140 [ 26.673000] ? __pfx_mempool_slab_uaf+0x10/0x10 [ 26.673024] ? __kasan_check_write+0x18/0x20 [ 26.673051] ? __pfx_mempool_alloc_slab+0x10/0x10 [ 26.673078] ? __pfx_mempool_free_slab+0x10/0x10 [ 26.673104] ? __pfx_read_tsc+0x10/0x10 [ 26.673128] ? ktime_get_ts64+0x86/0x230 [ 26.673151] ? sysvec_apic_timer_interrupt+0x50/0x90 [ 26.673191] kunit_try_run_case+0x1a5/0x480 [ 26.673218] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.673244] ? queued_spin_lock_slowpath+0x116/0xb40 [ 26.673270] ? __kthread_parkme+0x82/0x180 [ 26.673291] ? preempt_count_sub+0x50/0x80 [ 26.673316] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.673343] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.673366] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.673391] kthread+0x337/0x6f0 [ 26.673411] ? trace_preempt_on+0x20/0xc0 [ 26.673434] ? __pfx_kthread+0x10/0x10 [ 26.673468] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.673493] ? calculate_sigpending+0x7b/0xa0 [ 26.673518] ? __pfx_kthread+0x10/0x10 [ 26.673540] ret_from_fork+0x116/0x1d0 [ 26.673561] ? __pfx_kthread+0x10/0x10 [ 26.673582] ret_from_fork_asm+0x1a/0x30 [ 26.673615] </TASK> [ 26.673626] [ 26.682162] Allocated by task 279: [ 26.682368] kasan_save_stack+0x45/0x70 [ 26.682904] kasan_save_track+0x18/0x40 [ 26.683118] kasan_save_alloc_info+0x3b/0x50 [ 26.683437] __kasan_mempool_unpoison_object+0x1bb/0x200 [ 26.683700] remove_element+0x11e/0x190 [ 26.683861] mempool_alloc_preallocated+0x4d/0x90 [ 26.684093] mempool_uaf_helper+0x96/0x400 [ 26.684382] mempool_slab_uaf+0xea/0x140 [ 26.684672] kunit_try_run_case+0x1a5/0x480 [ 26.684885] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.685148] kthread+0x337/0x6f0 [ 26.685319] ret_from_fork+0x116/0x1d0 [ 26.685505] ret_from_fork_asm+0x1a/0x30 [ 26.685745] [ 26.685851] Freed by task 279: [ 26.685967] kasan_save_stack+0x45/0x70 [ 26.686103] kasan_save_track+0x18/0x40 [ 26.686236] kasan_save_free_info+0x3f/0x60 [ 26.686382] __kasan_mempool_poison_object+0x131/0x1d0 [ 26.686551] mempool_free+0x490/0x640 [ 26.686682] mempool_uaf_helper+0x11a/0x400 [ 26.686894] mempool_slab_uaf+0xea/0x140 [ 26.687276] kunit_try_run_case+0x1a5/0x480 [ 26.687534] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.687791] kthread+0x337/0x6f0 [ 26.687970] ret_from_fork+0x116/0x1d0 [ 26.688146] ret_from_fork_asm+0x1a/0x30 [ 26.688450] [ 26.688589] The buggy address belongs to the object at ffff888106002240 [ 26.688589] which belongs to the cache test_cache of size 123 [ 26.689095] The buggy address is located 0 bytes inside of [ 26.689095] freed 123-byte region [ffff888106002240, ffff8881060022bb) [ 26.689604] [ 26.689705] The buggy address belongs to the physical page: [ 26.689983] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106002 [ 26.690327] flags: 0x200000000000000(node=0|zone=2) [ 26.690595] page_type: f5(slab) [ 26.690759] raw: 0200000000000000 ffff888101d72b40 dead000000000122 0000000000000000 [ 26.691010] raw: 0000000000000000 0000000080150015 00000000f5000000 0000000000000000 [ 26.691636] page dumped because: kasan: bad access detected [ 26.691867] [ 26.691961] Memory state around the buggy address: [ 26.692180] ffff888106002100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.692614] ffff888106002180: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.692932] >ffff888106002200: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 26.693222] ^ [ 26.693551] ffff888106002280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 26.693857] ffff888106002300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.694126] ================================================================== [ 26.606575] ================================================================== [ 26.607107] BUG: KASAN: slab-use-after-free in mempool_uaf_helper+0x392/0x400 [ 26.607472] Read of size 1 at addr ffff8881058a9900 by task kunit_try_catch/275 [ 26.607906] [ 26.608095] CPU: 1 UID: 0 PID: 275 Comm: kunit_try_catch Tainted: G B N 6.16.0-rc7-next-20250722 #1 PREEMPT(voluntary) [ 26.608161] Tainted: [B]=BAD_PAGE, [N]=TEST [ 26.608188] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 26.608239] Call Trace: [ 26.608253] <TASK> [ 26.608270] dump_stack_lvl+0x73/0xb0 [ 26.608315] print_report+0xd1/0x640 [ 26.608339] ? __virt_addr_valid+0x1db/0x2d0 [ 26.608366] ? mempool_uaf_helper+0x392/0x400 [ 26.608388] ? kasan_complete_mode_report_info+0x64/0x200 [ 26.608442] ? mempool_uaf_helper+0x392/0x400 [ 26.608465] kasan_report+0x141/0x180 [ 26.608498] ? mempool_uaf_helper+0x392/0x400 [ 26.608573] __asan_report_load1_noabort+0x18/0x20 [ 26.608635] mempool_uaf_helper+0x392/0x400 [ 26.608660] ? __pfx_mempool_uaf_helper+0x10/0x10 [ 26.608695] ? dequeue_entities+0x23f/0x1630 [ 26.608724] ? __pfx_sched_clock_cpu+0x10/0x10 [ 26.608747] ? finish_task_switch.isra.0+0x153/0x700 [ 26.608774] mempool_kmalloc_uaf+0xef/0x140 [ 26.608798] ? __pfx_mempool_kmalloc_uaf+0x10/0x10 [ 26.608823] ? __pfx_mempool_kmalloc+0x10/0x10 [ 26.608859] ? __pfx_mempool_kfree+0x10/0x10 [ 26.608891] ? __pfx_read_tsc+0x10/0x10 [ 26.608914] ? ktime_get_ts64+0x86/0x230 [ 26.608942] kunit_try_run_case+0x1a5/0x480 [ 26.608970] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.608993] ? _raw_spin_lock_irqsave+0xa1/0x100 [ 26.609019] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 26.609045] ? __kthread_parkme+0x82/0x180 [ 26.609067] ? preempt_count_sub+0x50/0x80 [ 26.609090] ? __pfx_kunit_try_run_case+0x10/0x10 [ 26.609115] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.609139] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 26.609165] kthread+0x337/0x6f0 [ 26.609187] ? trace_preempt_on+0x20/0xc0 [ 26.609212] ? __pfx_kthread+0x10/0x10 [ 26.609233] ? _raw_spin_unlock_irq+0x47/0x80 [ 26.609259] ? calculate_sigpending+0x7b/0xa0 [ 26.609285] ? __pfx_kthread+0x10/0x10 [ 26.609306] ret_from_fork+0x116/0x1d0 [ 26.609327] ? __pfx_kthread+0x10/0x10 [ 26.609349] ret_from_fork_asm+0x1a/0x30 [ 26.609380] </TASK> [ 26.609392] [ 26.622147] Allocated by task 275: [ 26.622329] kasan_save_stack+0x45/0x70 [ 26.622930] kasan_save_track+0x18/0x40 [ 26.623228] kasan_save_alloc_info+0x3b/0x50 [ 26.623429] __kasan_mempool_unpoison_object+0x1a9/0x200 [ 26.623965] remove_element+0x11e/0x190 [ 26.624260] mempool_alloc_preallocated+0x4d/0x90 [ 26.624640] mempool_uaf_helper+0x96/0x400 [ 26.624983] mempool_kmalloc_uaf+0xef/0x140 [ 26.625349] kunit_try_run_case+0x1a5/0x480 [ 26.625772] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.626149] kthread+0x337/0x6f0 [ 26.626613] ret_from_fork+0x116/0x1d0 [ 26.626930] ret_from_fork_asm+0x1a/0x30 [ 26.627236] [ 26.627339] Freed by task 275: [ 26.627657] kasan_save_stack+0x45/0x70 [ 26.627958] kasan_save_track+0x18/0x40 [ 26.628137] kasan_save_free_info+0x3f/0x60 [ 26.628371] __kasan_mempool_poison_object+0x131/0x1d0 [ 26.628731] mempool_free+0x490/0x640 [ 26.629100] mempool_uaf_helper+0x11a/0x400 [ 26.629635] mempool_kmalloc_uaf+0xef/0x140 [ 26.629865] kunit_try_run_case+0x1a5/0x480 [ 26.630235] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 26.630731] kthread+0x337/0x6f0 [ 26.631040] ret_from_fork+0x116/0x1d0 [ 26.631264] ret_from_fork_asm+0x1a/0x30 [ 26.631688] [ 26.631789] The buggy address belongs to the object at ffff8881058a9900 [ 26.631789] which belongs to the cache kmalloc-128 of size 128 [ 26.632599] The buggy address is located 0 bytes inside of [ 26.632599] freed 128-byte region [ffff8881058a9900, ffff8881058a9980) [ 26.633117] [ 26.633414] The buggy address belongs to the physical page: [ 26.633619] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1058a9 [ 26.634024] flags: 0x200000000000000(node=0|zone=2) [ 26.634264] page_type: f5(slab) [ 26.634390] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000 [ 26.634982] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 26.635289] page dumped because: kasan: bad access detected [ 26.635547] [ 26.635644] Memory state around the buggy address: [ 26.635852] ffff8881058a9800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.636123] ffff8881058a9880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.636549] >ffff8881058a9900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.636849] ^ [ 26.636973] ffff8881058a9980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.637259] ffff8881058a9a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.637635] ==================================================================